The need for migrating enterprise networks
from IPv4 to IPv6 is driven by a number of different technological,
business, and social factors. The most important of these are:
The
exponential growth of the Internet is rapidly exhausting the existing
IPv4 public address space. A temporary solution to this problem has
been found in Network Address Translation (NAT), a technology that maps
multiple private (intranet) addresses to a single public (Internet)
address. Unfortunately, using NAT-enabled routers can introduce
additional problems such as breaking end-to-end connectivity and
security for some network applications. In addition, the rapid
proliferation of mobile IP devices is accelerating the depletion of the
IPv4 public address space.
The growing
use of real-time communications (RTC) on the Internet, such as Voice
Over Internet Protocol (VoIP) telephony, Instant Messaging (IM), and
audio/video conferencing exposes the limited support for Quality of
Service (QoS) currently provided in IPv4. These new RTC technologies
need improved QoS on IP networks to ensure reliable end-to-end
communications. The design of IPv4 limits possible improvements.
The
growing threats faced by hosts on IPv4 networks connected to the
Internet can be mitigated considerably by deploying IPsec, both on
private intranets and on tunneled connections across the public
Internet. However, IPsec was designed as an afterthought to IPv4 and is
complex and difficult to implement in many scenarios. IPsec traffic
also cannot traverse a NAT if the data that needs translation is an
encrypted portion of the packet.
IPv6,
developed by the Internet Engineering Task Force (IETF) to solve these
problems, includes the following improvements and additions:
IPv6 increases the theoretical address space of the Internet from 4.3 × 109 addresses (based on 32-bit IPv4 addresses) to 3.4 × 1038
possible addresses (based on 128-bit IPv6 addresses), which most
experts agree should be more than sufficient for the foreseeable future.
The
IPv6 address space was designed to be hierarchical rather than flat in
structure, which means that routing tables for IPv6 routers are smaller
and more efficient than for IPv4 routers.
IPv6
has enhanced support for QoS that includes a Traffic Class field in the
header to specify how traffic should be handled, and a new Flow Label
field in the header that enables routers to identify packets that
belong to a traffic flow and handle them appropriately.
IPv6
now requires IPsec support for standards-based, end-to-end security
across the Internet. The new QoS enhancements even work when IPv6
traffic is encrypted using IPsec.
Understanding
how IPv6 works is essential if you plan to benefit from IPv6 by
deploying it in your enterprise. The following sections provide an
overview of key IPv6 concepts, features, and terminology.
1. Understanding IPv6 Terminology
The following terminology is used to define IPv6 concepts and describe IPv6 features:
Node An IPv6-enabled network device that includes both hosts and routers.
Host An
IPv6-enabled network device, such as a single-homed computer, that
cannot forward IPv6 packets that are not explicitly addressed to
itself. A host is an endpoint for IPv6 communications (either the
source or destination) and drops all traffic not explicitly addressed
to it.
Router
An IPv6-enabled network device that can forward IPv6 packets that are
not explicitly addressed to itself. IPv6 routers also typically
advertise their presence to IPv6 hosts on their attached links.
Link One or more LAN (such as Ethernet) or WAN (such as PPP) network segments bounded by routers.
Neighbors Nodes that are connected to the same physical or logical link.
Subnet
One or more links having the same 64-bit IPv6 address prefix. If no
intra-subnet routers are present on the subnet, a subnet is equivalent
to a link.
Interface
A representation of a node attached to a link. This can be a physical
interface (such as a network adapter) or a logical interface (such as a
tunnel interface).
2. Understanding IPv6 Addressing
IPv6
uses 128-bit (16 byte) addresses that are expressed in
colon-hexadecimal form. For example, in the address
2001:DB8:3FA9:0000:0000:0000:00D3:9C5A, each block of 4-digit
hexadecimal numbers represents a 16-bit digit binary number. The eight
blocks of four-digital hexadecimal numbers thus equal 8 × 16 = 128 bits
in total.
You can shorten
hexadecimal-colon addresses by suppressing leading zeros for each
block. Using this technique, the representation for the preceding
address now becomes 2001:DB8:3FA9:0:0:0:D3:9C5A.
You
can shorten hexadecimal-colon addresses even further by compressing
contiguous 0 (hex) blocks as double colons (“::”). The address in our
example thus shortens to 2001:DB8:3FA9::D3:9C5A. Note that only one
double colon can be used per IPv6 address to ensure unambiguous
representation.
Understanding IPv6 Prefixes
An
IPv6 prefix indicates the portion of the address used for routing (a
subnet or a set of subnets as a summarized route) or for identifying an
address range. IPv6 prefixes are expressed in a similar fashion as the
Classless Inter-Domain Routing (CIDR) notation used by IPv4. For
example, 2001:DB8:3FA9::/48 might represent a route prefix in an IPv6
routing table.
In
IPv4, CIDR notation can be used to represent individual unicast
addresses in addition to routes and subnets. IPv6 prefixes, however,
are used only to represent routes and address ranges, not unicast
addresses. This is because unlike IPv4, IPv6 does not support variable
length subnet identifiers, and the number of high-order bits used to
identify a subnet in IPv6 is always 64. It is thus redundant to
represent the address in our example as 2001:DB8:3FA9::D3:9C5A/64; the
/64 portion of the representation is understood.
Understanding IPv6 Address Types
IPv6 supports three different address types:
Unicast
Identifies a single interface within the scope of the address. (The
scope of an IPv6 address is that portion of your network over which
this address is unique.) IPv6 packets with unicast destination
addresses are delivered to a single interface.
Multicast
Identifies zero or more interfaces. IPv6 packets with multicast
destination addresses are delivered to all interfaces listening on the
address. (Generally speaking, multicasting works the same way in IPv6
as it does in IPv4.)
Anycast
Identifies multiple interfaces. IPv6 packets with anycast destination
addresses are delivered to the nearest interface (measured by routing
distance) specified by the address. Currently, anycast addresses are
assigned only to routers and can only represent destination addresses.
Note
IPv6
address types do not include broadcast addresses as used by IPv4. In
IPv6, all broadcast communications are performed using multicast
addresses. See Table 2 for more information on multicast addresses. |
Understanding Unicast Addresses
Unicast addresses are addresses that identify a single interface. IPv6 has several types of unicast addresses:
Global Unicast Address
An address that is globally routable over the IPv6-enabled portion of
the Internet. Therefore, the scope of a global address is the entire
Internet, and global addresses in IPv6 correspond to public (non-RFC
1918) addresses used in IPv4. The address prefix currently used for
global addresses is 2000::/3 and the structure of a global address is:
The
first 48 bits of the address are the global routing prefix specifying
your organization’s site. (The first three bits of this prefix must be
001 in binary notation.) These 48 bits represent the public topology
portion of the address, which represents the collection of large and
small Internet Service Providers (ISPs) on the IPv6 Internet and which
is controlled by these ISPs through assignment by the Internet Assigned
Numbers Authority (IANA).
The next 16
bits are the subnet ID. Your organization can use this portion to
specify up to 65,536 unique subnets for routing purposes inside your
organization’s site. These 16 bits represent the site topology portion
of the address, which your organization has control over.
The final 64 bits are the interface ID and specify a unique interface within each subnet.
Link-Local Unicast Address
An address used by a node for communicating with neighboring nodes on
the same link. Therefore, the scope of a link-local address is the
local link on the network; link-local addresses are never forwarded
beyond the local link by IPv6 routers. Since link-local addresses are
assigned to interfaces using IPv6 address autoconfiguration, link-local
addresses in IPv6 correspond to Automatic Private IP Addressing (APIPA)
addresses used in IPv4 (which are assigned from the address range
169.254.0.0/16). The address prefix used for link-local addresses is
FE80::/64 and the structure of a link-local address is:
Link-local
addresses can be reused—in other words, two interfaces on different
links can have the same address. This makes link-local addresses
ambiguous; an additional identifier called the zone ID (or scope ID)
indicates to which link the address is either assigned or destined. In
Windows Vista, the zone ID for a link-local address corresponds to the
interface index for that interface. You can view a list of interface
indexes on a computer by typing netsh interface ipv6 show interface at
a command prompt.
Site-Local Unicast Address
An address that is used by a node for communicating with other nodes on
a private network having multiple subnets or links. The scope of a
site-local address is the entire network at the site, which is
typically a single geographical area such as a building or campus.
Since site-local addresses are not reachable except within an
organization’s intranet, site-local addresses in IPv6 correspond to
private (RFC 1918) addresses used in IPv4. The structure of a
site-local address is:
The first 10 bits of the address are always FEC0::/10 or 1111 1110 11 (binary).
The
next 54 bits are the subnet ID. Your organization can use this portion
to specify additional subnets for routing purposes inside your
organization’s site.
The last 64 bits are the interface ID and specify a unique interface within each subnet.
Note
that RFC 3879 now deprecates the use of site-local addresses. The
replacement for site-local addresses are unique local addresses.
Existing IPv6 deployments may continue to use site-local addresses .
Unique Local Unicast Address
Because a site-local address prefix can represent multiple sites within
an organization, it is ambiguous and not well-suited for
intra-organizational routing purposes. Therefore, RFC 4193 currently
proposes a new type of address called a unique local unicast address
(or just local address). The scope of this address is global to all
sites within the organization, and using this address type simplifies
the configuration of an organization’s internal IPv6 routing
infrastructure. The structure of a local address is:
The
first 7 bits of the address are always 1111 110 (binary) and the eighth
bit is set to 1, indicating a local address. This means that the
address prefix is always FD00::/8 for this type of address.
The
next 40 bits represent the global ID and is a randomly generated value
that identifies a specific site within your organization.
The
next 16 bits represent the subnet ID and can be used for further
subdividing the internal network of your site for routing purposes.
The last 64 bits are the interface ID and specify a unique interface within each subnet.
Identifying IPv6 Address Types
As Table 1
shows, you can quickly determine which type of IPv6 address you are
dealing with by looking at the beginning part of the address—that is,
the high-order bits of the address. Tables 2 and 3 also show examples of common IPv6 addresses that you can recognize directly from their colon-hexadecimal representation.
Table 1. Identifying IPv6 Address Types Using High-Order Bits and Address Prefix
| Address type | High-order bits | Address prefix |
|---|
| Global unicast | 001 | 2000::/3 |
| Link-local unicast | 1111 1110 10 | FE80::/64 |
| Site-local unicast | 1111 1110 11 | FEC0::/10 |
| Multicast | 1111 1111 | FF00::/8 |
Table 2. Identifying Common IPv6 Multicast Addresses
| Function | Scope | Representation |
|---|
| All-nodes multicast | Interface-local | FF01::1 |
| All-nodes multicast | Link-local | FF02::1 |
| All-routers multicast | Interface-local | FF01::2 |
| All-routers multicast | Link-local | FF02::2 |
| All-routers multicast | Site-local | FF05::2 |
Table 3. Identifying Special IPv6 Addresses
| Function | Representation |
|---|
| Unspecified address (no address) | :: |
| Loopback address | ::1 |
Understanding Interface Identifiers
For
all the types of unicast IPv6 addresses described in the preceding
sections, the last 64 bits of the address represent the interface ID
and are used to specify a unique interface on a local link or subnet.
In previous versions of Microsoft Windows, the interface ID is uniquely
determined as follows:
For
link-local addresses, such as a network adapter on an Ethernet segment,
the interface ID is derived from either the unique 48-bit MAC-layer
(Media Access Control) address of the interface or is equivalent to the
unique EUI-64 (Extended Unique Identifier) addresses of the interface
as defined by the Institute of Electrical and Electronic Engineers
(IEEE).
For global address prefixes, an EIU-64-based interface ID creates a public IPv6 address.
For
global address prefixes, a temporary random interface ID creates a
temporary address. This approach is described in RFC 3041; you can use
it to help provide anonymity for client-based usage of the IPv6
Internet.
In Windows Vista,
however, the interface ID is always randomly generated for all types of
unicast IPv6 addresses assigned to any type of interface.
Comparing IPv6 with IPv4
Table 4 compares and contrasts the IPv4 and IPv6 addressing schemes.
Table 4. Comparison of IPv4 vs. IPv6 Addressing
| Feature | IPv4 | IPv6 |
|---|
| Number of bits (bytes) | 32 (4) | 128 (16) |
| Expressed form | Dotted-decimal | Colon-hexadecimal |
| Variable-length subnets | Yes | No |
| Public addresses | Yes | Yes (global addresses) |
| Private addresses | Yes (RFC 1918 addresses) | Yes (local and site-local addresses) |
| Autoconfigured addresses for the local link | Yes (APIPA) | Yes (link-local addresses) |
| Support for address classes | Yes, but deprecated by CIDR | No |
| Broadcast addresses | Yes | Multicast used instead |
| Subnet mask | Required | Implicit /64 address prefix for addresses assigned to interfaces |
